Annual Report 2015 – Summary
ANNUAL REPORT 2015 – ITALIAN DATA PROTECTION AUTHORITY
The Annual Report on the Italian Data Protection Authority's 19th year of activity was submitted to Parliament on the 28th of June, 2016. The DPA's Panel of Commissioners includes Antonello Soro, Augusta Iannini, Giovanna Bianchi Clerici, and Licia Califano.
As well as taking stock of the activities performed in 2015, the Report outlines the future scope of action of the DPA in order to ensure the effective protection of personal data – especially online – and meet the challenges arising from the new economic growth models and the increasing demand for protection coming from individuals.
Key Areas of Activity
The main areas addressed by the Italian DPA in 2015 included the fight against terrorism and massive data collection; cybercrime; online profiling and social media; the new monopolistic regimes created by Net giants; the online transparency of public administrative bodies and the protection of taxpayers' privacy; the use of new technology in the workplace; the protection of data contained in judicial case files; protection of children by the media; consumer rights; large public databases; education and schools; e-Health.
The DPA continued its work aimed at ensuring the protection of privacy in the online world, starting from search engines and social networks. The Italian DPA – the first in Europe to require Google to take specific corrective measures – finalised its checks based on the verification protocol that had been submitted by the Mountain View company. The DPA ordered Facebook to stop fake accounts and improve transparency and user control.
Regarding the Internet of Things, a public consultation was launched with a view to developing rules that can ensure user data are processed properly; the DPA is also participating in an international survey focusing mainly on domotics.
Specific guidelines for online profiling from the main websites were issued to afford users the required safeguards.
The criteria for granting right to be forgotten requests (including de-listing of URLs) were clarified; the right to have online archives of newspapers updated was strengthened further.
Special importance was attained by cybersecurity in 2015 as shown by the number of data breach notifications (almost doubled and totalling 49) submitted to the DPA in the electronic communications services sector. In this connection, the DPA issued a decision requiring public administrative bodies to notify data breaches and/or IT incidents – in advance of the obligations arising from the new EU data protection regulation.
Measures were also laid down to enhance data protection in Internet data exchange nodes (IXP).
In the e-Health sector, the Guidelines on the Health Dossier were adopted to increase data protection safeguards for patients. Regarding health care in general, the DPA provided guidance on disease registries, neonatal screenings, and security measures applying to the new centralised IT system.
Several opinions were rendered by the DPA to the competent ministries (and to Parliament) in order to reconcile public administrative transparency with citizens' privacy and dignity by focusing on the right balance to be struck between mandatory publication of public records and dignity of the individual – as also related to judicial decisions.
Additionally, opinions were rendered by the DPA on the consent statement for organ donation, on the e-stay permit, and on the so-called ‘student card'.
Regarding tax matters, in particular the new pre-filled tax return (‘730') form, the DPA stepped in by requiring specific technical and organisational measures to be in place in order to protect taxpayers' data and ensure exercise of their rights under the Italian privacy law.
The DPA's special commitment continued in 2015 to bring major public databases into line with security requirements – foremost among them being the Taxpayers' Registry.
Technical measures and other safeguards were laid down with a view to implementing the computerised handling of tax-related litigations.
A Code of Conduct for Business Information was adopted by the DPA so as to reconcile business requirements with a fair use of data on managers' and entrepreneurs' reliability.
Work continued to prevent unregulated (‘wild') telemarketing – which is unfortunately on the rise and requires new rules to be introduced as has long been advocated by the DPA. Over 3,000 complaints were lodged with the DPA in the first months of 2016.
The privacy-journalism (right to inform) relation was another key area in particular as for the protection of children.
A Few Figures
692 decisions were adopted by the panel of the DPA's Commissioners in 2015.
About 5,000 inquiries, claims and reports were handled with particular regard to telemarketing, consumer credit, video surveillance, credit and banking, insurance companies, Internet, journalism, health care and welfare services.
307 complaints were adjudicated mainly concerning banks and financial companies, marketing, publishing houses (including TV companies), public administrative bodies and public service outsourcing, credit bureaux, business information services.
44 opinions were rendered to Government and Parliament ranging from police and intelligence services to the computerisation of public administrative databases and judicial proceedings, taxation issues and health data.
303 inspections were carried out, partly with the help of the Privacy Squad at Italy's Financial Police. The targeted entities included software houses providing support to police investigations and the judiciary, call centres in the telemarketing industry – some of them located abroad -, banks, electronic communications providers as for the retention of telephone and Internet traffic data, private credit bureaux, the revenue agency's taxpayers' registry, money transfer companies, and issuers of unlawfully activated phone cards. As for the public sector, the inspections focused on taxation and the revenue agency with particular regard to security measures and internal audits as well as on e-Health applications – from electronic health dossiers to the e-Health file up to online booking systems.
The number of administrative violations found in 2015 almost trebled compared to the previous years, totalling about 1,700. A substantial portion among them consisted in data processed unlawfully – mainly because of the lack of consent; in the failure by electronic communications service providers to notify data breaches (to data subjects and/or the DPA); in providing no or flawed information to users on the processing of their personal data; in the excessive retention of telephone and Internet traffic data; in the failure to take security measures, disclose documents as requested by the DPA or comply with measures adopted by the DPA.
The administrative fines levied totalled about 3.5 million Euro.
The DPA lodged reports with judicial authorities in 33 cases – in particular due to the failed adoption of minimum security measures.
As for public outreach, over 25,600 requests for information were handled concerning, in particular, unsolicited marketing calls, Internet, video surveillance, publication of records by public administrative bodies, and data protection in the workplace.
No less important and demanding was the work carried out by the DPA at international level, starting from the ‘Article 29 Working Party' of the EU DPAs where President Soro was appointed as Vice-Chair. The Working Party adopted several opinions and documents addressing, among other things, drones, cloud computing, e-health, ‘cookies', data protection in the financial sector, binding corporate rules, and the Passenger Name Record (PNR) directive.
Especially significant was the assessment carried out regarding the effects produced by the Schrems judgment of the Court of Justice of the EU, which invalidated the Safe Harbor agreement enabling data transfers from the EU to the USA.
Considerable importance was attained by the work related to the reform of the EU data protection framework, i.e. the so-called ‘data protection package'; the package was finalised by the adoption of the new General Regulation (which came into force on 24 May 2016) and the Directive on the processing of personal data for judicial and police purposes (which came into force on 5 May 2016). The Garante followed the discussion on the revised EU legal framework throughout, in particular by participating as a technical expert in the meetings of the competent DAPIX working party at the EU Council.
The DPA contributed to the work in progress at the Council of Europe in order to revise the 1981 data protection Convention as well as to draft new Recommendations on the processing of personal data in the workplace; OECD initiatives were also followed carefully with particular regard to tax data exchange rules. Cooperation with international groups fostering targeted enforcement initiatives such as the Global Privacy Enforcement Network (GPEN) was strengthened as well.
Finally, reference should be made to the in-depth activities carried out by the DPA as a member of the Schengen, Europol, Eurodac and CIS (Customs Information System) joint supervisory authorities.
Rome, 28 June 2016